Currently, if personal information held by your organisation is accessed by or disclosed to an unauthorised party, it is merely voluntary for you to advise affected individuals. That will soon change if you are covered by the Privacy Act 1988. The Act generally applies to entities with an annual turnover of $3 million or more.
Amendments to the Act come into effect in Australia on 22 February 2018. Those amendments will require organisations to take prompt action on suspected data breaches or face substantial fines.
What is a data breach under the Act?
For the purposes of the Act, a data breach occurs when:
- there has been unauthorised access, or unauthorised disclosure of personal information; or
- personal information is lost in circumstances that are likely to result in unauthorised access or disclosure; and
- there is a likely risk of ‘serious harm’ to any individual affected by the breach. ‘Serious harm’ may include physical, psychological, emotional, economic and financial harm.
How must an organisation deal with a data breach?
Within 30 days after becoming aware of a potential data breach, the entity must conduct an assessment into the relevant circumstances. If a data breach meeting the above criteria is identified, the entity must notify both the Privacy Commissioner and the individuals affected as soon as practicable.
Substantial fines of up to $360,000 for individuals and $1.8 million for organisations may be issued for serious or repeated failure to comply.
What should organisations do now? Review, Protect and Prepare
In preparing for the new regime, you should:
- Protect data you hold
Prevention is better than cure. Conduct an internal review of policies and procedures concerning data security and disclosure.
- Prepare policies and procedures to deal with a breach
Update or create new policies and procedures to be followed if a data breach occurs to ensure your prompt compliance with the new regime.